Sonatype Blog: Latest Posts

Analysis: Flashback Spread Via Social Engineering, Then Java Exploits

April 19, Threatpost – (International) Analysis: Flashback spread via social engineering, then Java exploits. Kaspersky Lab’s latest analysis of the Mac OS X Flashback botnet revealed its malware was spread via drive-by downloads on hacked WordPress Web sites. From September 2011 until February 2012, the Flashback creators distributed the trojan through compromised WordPress sites that prompted users to download various iterations of a fake Adobe Flash Player update that was, in actuality, the Mac trojan. The attacks started using social engineering lures, and it was not until February that Flashback authors began using exploits to grow the botnet. They exploited known Java vulnerabilities, at least two of which date back as far as June 2009. More importantly, though, Flashback’s creators took advantage of the window of exposure between Oracle and Apple’s patch schedules. A Kaspersky researcher said Apple creates its own patches to fix Java vulnerabilities instead of using Oracle’s. So, the bugs were already patched by Oracle, but Apple had not yet deployed patches. The researcher noted that on average, historically speaking, there was a 2-month delay between Oracle’s fixes, which come first, and Apple’s. In March 2012, Flashback’s authors started making use of a Russian partner program that somehow injected redirect – 19 – scripts into legitimate Web sites. The researcher said tens of thousands of WordPress sites were infected in late February and early March and notes that other estimates had the number as high as 100,000 infected sites. It was unclear how the sites became infected, but the researcher believed bloggers were either using vulnerable versions of WordPress or installed the ToolsPack plugin.